Multiple Vulnerabilities in Adobe Flash Player and Adobe AIR

Systems Affected

• Adobe Flash Player 14.0.0.125 and earlier versions for Windows
• Adobe Flash Player 14.0.0.125 and earlier versions for Macintosh
• Adobe Flash Player 11.2.202.378 and earlier versions for Linux
• Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
• Adobe AIR 14.0.0.110 SDK and earlier version
• Adobe AIR 14.0.0.110 and earlier versions for Android
• Adobe AIR versions 14.0.0.110 and prior for SDK and Compiler, and Android
• Adobe Flash Player 14.0.0.125 and earlier for Chrome (Windows, Macintosh and Linux)
• Adobe Flash Player 14.0.0.125 and earlier in Internet Explorer 10 for Windows 8.0
• Adobe Flash Player 14.0.0.125 and earlier in Internet Explorer 11 for Windows 8.1

Threat Level

High

Overview

Multiple vulnerabilities have been reported in Adobe Flash Player and Adobe AIR which could allow an unauthenticated remote attacker to conduct cross site request forgery(CSRF) attack or bypass security restrictions to gain access to the sensitive information on a targeted system.

Description

1. Cross Site Request Forgery Attack Vulnerability ( CVE-2014-4671 )
CSRF attack vulnerability exists due to unspecified vectors in Adobe Flash Player and Adobe AIR. A remote attacker could exploit this vulnerability by creating a specially crafted, all alphanumeric SWF file and processed it via target JSONP callback API. Successful exploitation of this vulnerability could allow an attacker to bypass same origin policy security restrictions and initiate arbitrary request to the target domain leading to the data transfer to the remote user.

2. Security Bypass vulnerability ( CVE-2014-0537 CVE-2014-0539 )
These vulnerabilities exist due to unspecified errors in Adobe Flash player and Adobe AIR. A remote attacker could exploit these vulnerabilities by enticing a user to load specially crafted flash content. Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions and gain access to sensitive information.